RDStealer Malware Removal

RDStealer, a data-stealing malware, utilizes the Go programming language. This malware chain incorporates the Logutil backdoor, which establishes a system “backdoor” to advance the infection. Logutil, also developed using Go, is a cross-platform malware capable of infecting systems running Windows, Linux, and VMware ESXi.

RDStealer focus on various sensitive data types, but what sets this campaign apart is its ability to monitor and infect RDP (Remote Desktop Protocol) clients. Campaigns that spread RDStealer have been active since early 2022, indicating a highly sophisticated operation. The overall style of execution allow us to presume it is a state-sponsored threat actor. While it is challenging to pinpoint the exact origin, the campaign’s targets align with Chinese interests.

RDStealer Overview

RDStealer campaigns exhibit a high level of sophistication, employing several techniques to avoid detection on compromised machines. This includes concealing the malware in folders that often bypass security solutions. For instance, an analysis of a Dell device infected with RDStealer revealed the malware in the following folders:

• %WinDir%\System32\
• %WinDir%\System32\wbem\
• %WinDir%\security\database\
• %PROGRAM_FILES%\f-secure\psb\diagnostics
• %PROGRAM_FILES_x86%\dell\commandupdate\
• %PROGRAM_FILES%\dell\md storage software\md configuration utility\

The selection of folders may vary, with the aim of evading detection by security tools. As mentioned earlier, RDStealer is a data-stealing malware that extracts and exfiltrates information from infected machines. This malicious program scans systems for various types of data and exfiltrates it from specific folders and applications.

The targeted data includes, but is not limited to, browsing history and saved login credentials from the Google Chrome browser, mRemoteNG (remote connections manager), MobaXterm (remote desktop client), and KeePass (password manager). In addition, RDStealer possesses keylogging capabilities to record keystrokes and can extract clipboard content (data copied to the copy/paste buffer).

Moreover, the malware’s reach extends beyond the initial infection, as it can spread to other devices connected through RDP. By monitoring incoming RDP connections, the infection can be transmitted to remote machines, especially if client drive mapping is enabled. Drive mapping is often enabled in large networks for tasks like file sharing between servers.

If conditions are favorable, the Logutil backdoor infects the remotely connected device and subsequently installs RDStealer. It’s worth noting that malware developers frequently enhance their creations, streamlining processes and adding additional functionalities. Therefore, future versions of RDStealer may possess different capabilities.

Stealing from Remote Desktop

The Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables users to connect to Windows desktops remotely and interact with them as if they were physically present. This functionality is particularly beneficial for tasks such as remote work, technical support, system administration, and server management.

However, it is important to be aware that internet-exposed RDP servers are a sweet target for threat actors. The reason behind this is that gaining access to an RDP server provides attackers with a potential entry point into a corporate network. Once inside, they can move laterally, spreading their influence and potentially conducting data theft and ransomware attacks.

One of the features included in the Remote Desktop Protocol is ‘device redirection.’ This feature allows users to connect their local drives, printers, clipboard, ports, and other devices to the remote host, making them accessible within the remote desktop session. When using device redirection in a Remote Desktop Protocol (RDP) session, you can access the shared resources on your local machine through a special network share called ‘\\tsclient’ (terminal server client).

This ‘\\tsclient’ network share allows you to map the shared resources to drive letters within your RDP connection. For instance, if you have shared your local C:\ drive via device redirection, you will be able to access it as the ‘\\tsclient\c’ share within the RDP session. This enables you to access files stored on your local machine directly from the remote Windows desktop. By leveraging this feature, users can seamlessly work with files and data that resides on local drives while connected to a remote desktop session. This, obviously, enhances productivity and convenience.

Client Drive Mapping is a feature in RDP that allows to display the drives of the local machine (the computer initiating the RDP session) within the remote desktop session.

RDStealer is a sophisticated malware consisting of five modules designed for malicious purposes. These modules include a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and a module controlling encryption/decryption functions, logging, and file manipulation utilities.

Upon execution, RDStealer enters an infinite loop where it continuously calls the “diskMounted” function. This function checks for the presence of C, D, E, F, G, or H drives on the \\tsclient network shares. If it finds any of these drives, the malware notifies its command and control (C2) server and proceeds to exfiltrate data from the connected Remote Desktop Protocol (RDP) client.

It is worth noting that RDStealer targets specific locations and file extensions on the C:\ drives, including the KeePass password database, SSH private keys, Bitvise SSH client, MobaXterm, mRemoteNG connections, and more. This indicates that the attackers behind RDStealer are primarily interested in obtaining credentials that can be used for lateral movement within a network.

In summary, high-risk malware infections like Logutil and RDStealer can lead to severe privacy issues, financial losses, and identity theft. When targeted at highly sensitive entities such as institutions, organizations, and governmental bodies, the consequences can be even more significant.

Examples of Stealer-type malware

Our recent research has covered numerous stealers, including FadeStealer, RustyStealer, Mystic Stealer, and Skuld.

Information-stealing software can focus on specific details or a wide range of data. Additionally, malicious functionalities are not mutually exclusive, allowing malware to possess different combinations of capabilities.

Regardless of the operating mechanisms of malicious software, its presence on a system jeopardizes device integrity and user safety. Therefore, immediate elimination of all threats upon detection is crucial.

How did RDStealer infiltrate my computer?

The precise method of RDStealer infiltration remains unknown. Generally, malware is propagated through phishing and social engineering techniques. In sophisticated campaigns targeting specific entities, such as RDStealer, these tactics are often tailored for the intended targets.

Malicious software is typically disguised as or bundled with ordinary program/media files. These files can be executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), JavaScript, and more. Once a malicious file is executed, run, or opened, the infection chain is triggered.

The most commonly used methods for distributing malware include malicious attachments/links in spam emails, drive-by (stealthy/deceptive) downloads, suspicious download channels (freeware and free file-hosting websites, P2P sharing networks, etc.), illegal software activation tools, fake updates, online scams, and malvertising. Furthermore, certain malicious programs can self-propagate through local networks and removable storage devices (external hard drives, USB flash drives, etc.). RDStealer is capable of spreading to RDP-connected devices.

How to remove the RDStealer from my PC?

Frequently Asked Questions (FAQ)